It is one thing for a company to say a device is cybersecure; a company that puts the efforts in to actually prove that is quite another. In that vein, February brought us the news that Eaton had entered into a strategic Cybersecurity collaboration with Underwriters Laboratories (UL) to drive development of new cybersecurity standards for power management products. This was an intriguing development. As automation systems include more connected devices, there is a greater risk for cybersecurity vulnerabilities. Recent security breaches have demonstrated the continued dynamic evolution of cybersecurity as vulnerabilities in both software and hardware continue to be identified. Consequently, it is increasingly imperative that cybersecurity is designed into the system components and overall design…and people will want proof of that.

Very intrigued by these developments I reached out to Max Wandera, the Director of the Eaton Cybersecurity Center of Excellence in order to learn more. He explained how Eaton and Underwriters Laboratories (UL) entered into the collaboration to provide a line of defense for industrial customers in today’s connected environments. With this collaboration, the two organizations aim to:

Advance cybersecurity for power management technologies

Help establish measurable cybersecurity standards for network-connected power management products and systems

One of the initial fruits of the collaboration has been the news that Eaton’s cybersecurity research and testing facility in Pittsburgh was the first lab approved to participate in UL’s Data Acceptance Program for cybersecurity – an initiative that is designed help address the evolving cybersecurity risks. In the interests of the necessary proof, products are tested in this specialized lab for compliance with industry cybersecurity requirements before they're installed in critical systems.

Wandera – a CISSP, GSLC, and the director of the Cybersecurity Center of Excellence at Eaton – is responsible for providing leadership and oversight in the strategic planning, development and assessment of Eaton products. He is responsible for the Secure Product Development Lifecycle Policy and compliance; including the research, design, development and implementation of security technologies for products, systems and software applications. His role works cross-functionally with corporate officers, business, and functional leaders and he acts as the voice of Eaton on Product Cybersecurity matters, interfacing with various government entities including the Department of Homeland Security, Customers, Industry forums and other Industrial Control Security Organizations.

I was able to go in-depth with Wandera aboutthe power management cybersecurity challenges and UL’s efforts to help industrial customers overcome them. “It’s critical that organizations practice comprehensive cybersecurity hygiene, in order to keep up with ever evolving cybersecurity vulnerabilities,” Wandera began, “Our goal is to ensure our product are compliant with cybersecurity standards and are secure when deployed in our customers environment by addressing cybersecurity from the beginning of product development life cycle." I continued to pose him a series of questions and have included his answers below:

Max Wandera – a CISSP, GSLC, and the director of the Cybersecurity Center of Excellence at Eaton.

Why is third-party certification for cybersecurity important?

Last year, businesses spent an estimated $964 billion on IoT devices. Moving forward, analysts forecast that connected devices and the data they generate will continue to grow exponentially. By 2020, an estimated 31 billion devices will be connected to the internet. As customers deploy more of these smart and connected solutions, it’s critical to trust and verify that the technologies they’re relying on are designed, built and tested to proven engineering practices – and industry guidelines such as the UL 2900 cybersecurity standard.

Are your products being certified for compliance with cyber security device standards? If so what cybersecurity device standards?

In the summer of 2017, the general requirements for the UL 2900 Standard for Software Cybersecurity for Network-Connectable Products (UL 2900) were published. These guidelines include processes to test devices for security vulnerabilities, software weaknesses and malware. To comply with this standard, Eaton has demonstrated thorough understanding of the scope of the standards and the ability to meet them throughout the product development lifecycle.

Backed by testing methodology that aligns with UL requirements, Eaton's Power Xpert Dashboard was the first power management product certified to the UL 2900-2-2 Standard for cybersecurity in industrial control systems. This user portal to Eaton's switchgear enables customers to monitor, diagnose and control devices from outside the arc flash boundary.

The Power Xpert Dashboard is the first of many power management devices that will attain UL 2900 certification. Additionally, because Eaton has the first lab approved to participate in UL's Data Acceptance Program for cybersecurity, we now have the capability to test products with intelligence or embedded logic to key aspects of the UL 2900-1 and 2900-2-2 Standards. Look to Eaton for additional devices certified to UL cybersecurity standards in months ahead.

What are the goals of this cybersecurity partnership as it relates to automation and digital factories?

In digital factories, intelligent power management technologies can provide the real-time visibility needed to proactively mitigate unplanned downtime and manufacturing inefficiencies. The annual cost of unplanned downtime for manufacturers is in the range of $50 billion. Digitizing factories to create a unified network of intelligent and connected devices can drive actionable outcomes in terms of preventative maintenance, training, production planning, quality and more.

Ultimately, these outcomes can yield significant improvements in productivity in terms of throughput, reduction in electricity consumption and downtime and measurable quality improvements. However, a digital factory relies on more than connectivity. Customers are seeking ways to reduce cybersecurity risk and optimize their investments, reducing cybersecurity risk by relying on tested industry engineering and design expertise is critical in broad terms. Eaton’s collaboration with UL is helping drive common criteria for assessing products to ensure that they meet industry standards and reduce cybersecurity risk. Through our rigorous cybersecurity processes and having the first lab approved to participate in the UL Data Acceptance Program, Eaton is developing products that comply with the most stringent standards and expectations for safe, secure power management.

Further, this collaboration with UL will help establish measurable cybersecurity criteria for network-connected power management products and systems. As we introduce more intelligent and connected systems, and these technologies are applied to support digital factories, our work with UL will help build trust and verified claims supporting the highest level of defense against emerging cybersecurity threats.

Why is Eaton partnering with UL significant?

As digital factories are able to collect more real-time data from power management equipment such as circuit breakers, variable frequency drives, meters, controllers, relays and other systems, reducing risk by relying on tested industry engineering and design expertise is critical. This collaboration helps provide and drive standards, testing and technologies to provide confidence that Eaton connected equipment and devices will be safe and comply with industry cybersecurity standards. Through our cybersecurity processes and having the first lab approved to participate in the UL Data Acceptance Program, Eaton is developing products that will be in compliance with some of the industry’s most stringent standard and expectations for safe, secure power management.

Further, as we introduce more intelligent and connected systems, and our customers apply these technologies to support electrical power management, this collaboration will help demonstrate the investment that Eaton has committed in Cybersecurity and build trust on our products.

Eaton established cybersecurity collaboration with UL, expands commitment to advancing smarter technologies and processes that enable trusted environments in a hyperconnected world. Image courtesy of Eaton.

What are the shortcomings of existing power management cybersecurity standards that necessitate new ones?

UL has established the industry’s first common criteria for assessing network-connected products to ensure they meet industry cybersecurity standards. Of course, there are a variety of cybersecurity standards and regulation, yet, to date, no other organization in the U.S. has provide prescriptive guidance on third-party cybersecurity certification for electrical power management technologies as the UL 2900 standard.

What are the other international standards to consider?

The American National Standards Institute (ANSI) and International Society of Automation (ISA) have also developed security and safety standards for industrial automation. The ANSI/ISA-99.00.01-2007 Security for Industrial Automation and Control Systems standard is the basis for the International Electrotechnical Commission (IEC) 62443 standard. The IEC 62443 series of standards generally specify requirements for security capabilities. These capabilities may be technical capabilities that relates to security mechanism or process capabilities that are human in nature. We also have the ISO/IEC 27001 that can also be applied in any form of organizations to drive cybersecurity requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented information security management systems and many others.

UL2900 standard provides common criteria for assessing products to ensure they are compliant with the industry standards.

Does meeting this UL standard mean that a product is not vulnerable to known malware able to disrupt industrial processes?

It is critical to note that cybersecurity, even when designed into technology, is dependent on how technology is applied as threats continue to evolve. For example, if I have a smart phone and the manufacturer releases an update, it is my responsibility as the end user to update my device. If I don’t, my device may be more vulnerable to an attack versus an updated device.

Similarly, how a customer applies technology and the updates and upgrades they decide make sense for their system and environment will impact cybersecurity in their application. As threats evolve, Eaton continues to identify where risk may lie, works to remove risk and offers updates to our products regularly. An important part of the process is making sure that our customers are aware of those upgrades and take advantage of the latest technologies, best practices and versions available. Our cybersecurity website is one resource to find news of new vulnerabilities, evolving threats or receive information on product updates.

What is the goal of product security at Eaton? What are you looking to achieve?

Software and communication technologies are changing the face of the electricity delivery system. Traditionally, electrical systems were controlled through serial devices connected to computers via dedicated transceivers with proprietary protocols. In contrast, today’s control systems are increasingly connected to larger enterprise networks, which can expose these systems to vulnerabilities that are typically found in IT systems.

The main goals of Eaton’s approach to product security are to advance safety and protect the availability, integrity and confidentiality of electrical systems

To protect important assets, organizations should take cybersecurity threats seriously and meet them proactively with a defensive approach specific to organizational needs, while taking advantage of the latest updates to technologies.

There is no protection method that is completely secure. A “defense in depth” mechanism that is effective today may not be effective tomorrow – as the ways and means of cyber-attacks constantly change. It is critical that administrators remain aware of changes in cybersecurity and continue to work to prevent any potential vulnerabilities in the systems they manage.

Is it the testing facility in Pittsburgh the only facility of its kind? If not, what makes it unique?

Eaton has the first lab approved to participate in UL's Data Acceptance Program for cybersecurity. And we now have the capability to test Eaton products with intelligence or embedded logic to key aspects of the UL 2900-1 and 2900-2-2 Standards. Our customers don't want to take chances with their systems. With products tested in our specialized labs, customers can rest easier knowing Eaton devices are compliant with industry cybersecurity requirements before they're installed in their critical systems.

In a hyper-connected world, trusted environments are a must. Eaton's commitment to defending those environments comes to life at our lab in Pittsburgh, where our experts discover new ways to help protect products and systems against cyberattack, provide internal training and help customers deploy and maintain secure solutions.